Antimalware Doctor. Help!

Colette1712

I have a virus on my laptop called Antomalware doctor. It's one that keeps popping + telling me I'm not secure and I cannot get rid of it. I have McAffee running a full scan but isn't picking it up. I can't uninstall it with disk cleanup,when I try that it just opens it not uninstalls it.
Anyone know how I can get rid of it given that I'm not the most tech savvy person in the world?
Is it possible to get rid of it or will I have to take it to some computer shop?Wouldn't that cos a fortune?cos I just can't afford to spend a load.

Can anyone help? I'm at my wits end with it.

Thanks.

jolsen

Try using http://www.malwarebytes.org/mbam.php (the free version), it's pretty effective against these types of malware.

Let me know if your having trouble, there's always other options.

Colette1712

Thanks,I've tried that but the scan takes so long that it crashes before it finishes +I'm still stuck with this virus.

dpmurray

try Spybot-Search and Destroy. http://www.safer-networking.org/index2.html

Dodgey name i know but i used it a few weeks ago to clean a machine with this same virus. It'll remove most bad stuff on your machine - then run Malware anti-malware and it'll pick up the rest

oh - and run a quick scan either in Malware anti-malware to avoid the crashing

ASJ112

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txts will open.
• Save both reports to your desktop.

---

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Real_World?

I had the same issue last night. Animalware Doctor suddenly appeared. My McAfee Subscription didn't pick it up before which was annoying.

But now realise that I should be running Malware programs aswell.

I downloaded http://www.malwarebytes.org/mbam.php last night and ran quick scan take about 15 mins. It was successfully in taking Animalware Doctor off my laptop.
As it identified 13 threats.

Then I restarted the laptop and there was still 5 threats on the laptop. As I have run Malware again and it picks these and deletes them but same again when you restart the laptop the 5 threats are there.

Have been looking at using Trojan-Remover to see if it will get rid of the last 5 threats. I'll post how I get on tonight. Extremely annoying after paying for Mcafee.

My friend recommended AVG Free Edition 9.0 should have listened to him.

Colette1712

whenever I try malwarebytes it picks up some threats+I remove them but then,when I restart up the laptop there pops antimalware doctor again!

And malwarebytes has twice scanned for over 3 hours and then the whole laptop crashed!
Someone today told me that malwarebytes itself is a virus. Is that right??

Real_World?

Last night I ran through the following steps.

1. Turned off Wifi on my laptop.
2. Ran Malwarebytes full scan took 1hr 48 minutes. Found 3 threats and fixed. Restarted laptop. And no threats found.
3. Turned on Wifi and the broadband was on. Immediately my McAfee picks up 5 threats. Checked my broadband router/modem and it was going mad with all the lights flashing. But I hadn't even open Internet Explorer on the laptop.
4. Ran Malwarebytes again. Identified the 5 threats and fixed. Didn't restart laptop.
5. Downloaded SUPERAntiSpyware program. As I have seen it recommended on several forums.
6. I ran a quick scan with SUPERAntiSpyware. It identified 35 threats to the laptop. Of which 20 odd were cookies which I thought were all deleted the day previous when I clear them out.
7. There was a ROOTKit / 2 Trojans / 3 Worms and a backdoor identified by SUPERAntiSpyware. The Rootkit I think was in my WinShell script for explorer.exe.
8. Allowed SUPERAntispyware to fix the problems and restarted.
9. No issues now. Have run Malware twice and SUPERAnitspyware once. Tonight I intend to do a full scan with SUPERAnitspyware to see that there is no other problems.

I always have the broadband on at home. So the laptop just connects automatically to it when starts up. And Malwarebytes just wasn't good enough to fix the problems.

u140acro3xs7dm

Real_World? wrote: »

Last night I ran through the following steps.

1. Turned off Wifi on my laptop.
2. Ran Malwarebytes full scan took 1hr 48 minutes. Found 3 threats and fixed. Restarted laptop. And no threats found.
3. Turned on Wifi and the broadband was on. Immediately my McAfee picks up 5 threats. Checked my broadband router/modem and it was going mad with all the lights flashing. But I hadn't even open Internet Explorer on the laptop.
4. Ran Malwarebytes again. Identified the 5 threats and fixed. Didn't restart laptop.
5. Downloaded SUPERAntiSpyware program. As I have seen it recommended on several forums.
6. I ran a quick scan with SUPERAntiSpyware. It identified 35 threats to the laptop. Of which 20 odd were cookies which I thought were all deleted the day previous when I clear them out.
7. There was a ROOTKit / 2 Trojans / 3 Worms and a backdoor identified by SUPERAntiSpyware. The Rootkit I think was in my WinShell script for explorer.exe.
8. Allowed SUPERAntispyware to fix the problems and restarted.
9. No issues now. Have run Malware twice and SUPERAnitspyware once. Tonight I intend to do a full scan with SUPERAnitspyware to see that there is no other problems.

I always have the broadband on at home. So the laptop just connects automatically to it when starts up. And Malwarebytes just wasn't good enough to fix the problems.

I say change your WEP/WPA key to start with and then follow ASJ112's instructions above to run dds, he can read the log and advise you from there. You could be pissing into the wind just scanning with mbam everyday it could need something more powerful.

Real_World?

ET_phone_home you are right.

I ran SUPERAntispyware last night - Full Scan which i hadn't done before and it found a ROOTkit.
Nothing else found on the laptop. Restart and reran the SUPERAntispyware and the ROOTkit is still there.

Its called - Rootkit.Agent/Gen.TDSS found it in my files.
C:\WINDOWS\SYSTEM32\DRIVERS\QZLFMZK.SYS

Question 1 : Is it enough to just delete this file and restart. Or do I need to use something like COMBOFIX to clean the laptop of this Rootkit.
Or DSS pull down logs and post. Hoping that somebody might have an idea.

Question 2 : Change the WPA/WEP key how easy it that. Can I just use a WEP/WPA generator. As I just googled it .

Thanks





(Still very annoyed that my McAfee didn't catch this.)

u140acro3xs7dm

Run DDS and post the logs up here and one of the experts will come along and read them for you and tell what action to take next. They are very successful at getting rid of them. I dont think you should use combofix without being advised to by someone who knows there stuff, its a very powerful tool and could harm your computer when not used correctly.

To change your WEP/WPA type 192.168.1.1 into your browser and enter your password (if you never set this google the model of your router and you should find a default one) WPA2 is more secure than WEP.

As for McAfee its not the best and its an anti-virus which means its not great at picking up malware. Personally i run malwarebytes once a week or any-time I think I might have stumbled onto a bad site.

So most important thing to do is post your DDS log here and obviously dont use your credit cards and such and when you get it fixed it might be a good idea to change your passwords.

mp22

Real_World? wrote: »

I



Question 2 : Change the WPA/WEP key how easy it that. Can I just use a WEP/WPA generator. As I just googled it .

http://www.boards.ie/vbulletin/showthread.php?t=2055368633

Real_World?

Thanks for all the comments.

I have not had an opportunity to run the DDS on my laptop. Intending to give it a try over the wkend and will post the logs.

I'll also have to sort out my WPA/WEP key. I'm using a Perlico broadband router. A couple of months ago I had lots of problems with it. But will give it a go at changing it.

Real_World?

My laptop is infected with - Rootkit.Agent/Gen.TDSS found it in my files.
C:\WINDOWS\SYSTEM32\DRIVERS\QZLFMZK.SYS

Any advice would be much appreciated. Thanks

---

I have pasted in the recommended DDS txt files and attached both of the files.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dave at 20:23:47.14 on 08/08/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.3581.2014 [GMT 1:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Dell\DellDock\DellDock.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\conime.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Dave\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=1081208
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=1081208
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
LSA: Notification Packages = scecli psqlpwd
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-8 73728]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-16 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-8 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-8 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-8 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-8 40552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-20 136176]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-8 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-8 34248]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-12-8 209408]
=============== Created Last 30 ================
2010-07-28 20:48:06 0 d

---

w- c:\users\dave\appdata\roaming\SUPERAntiSpyware.com
2010-07-28 20:48:06 0 d

---

w- c:\programdata\SUPERAntiSpyware.com
2010-07-28 20:47:58 0 d

---

w- c:\program files\SUPERAntiSpyware
2010-07-27 22:34:30 0 d

---

w- c:\users\dave\appdata\roaming\Malwarebytes
2010-07-27 22:34:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 22:34:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-27 22:34:11 0 d

---

w- c:\programdata\Malwarebytes
2010-07-27 22:34:10 0 d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 20:46:19 766976 ----a-w- c:\windows\system32\drivers\qzlfmzk.sys
2010-07-18 12:11:37 65536 --sha-w- c:\users\dave\NTUSER.DAT{837679f7-9265-11df-8055-002269c392a6}.TM.blf
2010-07-18 12:11:37 524288 --sha-w- c:\users\dave\NTUSER.DAT{837679f7-9265-11df-8055-002269c392a6}.TMContainer00000000000000000002.regtrans-ms
2010-07-18 12:11:37 524288 --sha-w- c:\users\dave\NTUSER.DAT{837679f7-9265-11df-8055-002269c392a6}.TMContainer00000000000000000001.regtrans-ms
==================== Find3M ====================
2010-08-08 18:43:48 31776 ----a-w- c:\programdata\nvModes.dat
2010-08-05 21:05:39 3176 ----a-w- c:\users\dave\appdata\roaming\wklnhst.dat
2010-07-15 14:18:22 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-08 19:30:02 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-11-21 12:48:03 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-21 12:48:03 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-21 12:48:00 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-16 18:51:57 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-08 12:05:36 74 --sh--r- c:\windows\CT4CET.bin
2010-02-02 18:59:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-02-02 18:59:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-02-02 18:59:48 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-12-15 22:51:37 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-25 21:07:51 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-12-25 21:07:51 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-12-25 21:07:51 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-12-08 20:21:50 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 20:25:59.63 ===============

jpl888

Reinstall the laptop, since the rootkit could've modified and be doing anything far beyond the initial rootkit's capabilities. That's the only way you'll be sure it's gone.

Or you could just leave it and hope. If it were my machine I know what I would do.

ASJ112

its not though is it



Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
  
  Click me
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

jpl888

Ok but you can't tell me or the OP that that will definitely remove everything can you.

You can run all the AV, Anti-Malware, Anti-Rootkits you like it doesn't necessarily mean that Windows will be clean afterwards. I think it's important to point that out.

All the best.

Isotonic

ive got the ame problem. ran the malware bytes but couldnt remove it. this is the log. Any ideas??

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
25/08/2010 22:26:56
mbam-log-2010-08-25 (22-26-56).txt
Scan type: Quick scan
Objects scanned: 118793
Time elapsed: 12 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Users\Brian\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metropolis (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1668386628-4739918463-991269328-2719\mwau.exe,explorer.exe,C:\Users\Brian\AppData\Roaming\ohydy.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\RECYCLER\S-1-5-21-1668386628-4739918463-991269328-2719\mwau.exe (Worm.Autorun.B) -> Delete on reboot.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Brian\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\Brian\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

jpl888

Reboot in safe mode run Malwarebytes again and also do Microsoft Security Essentials scan.

ASJ112

please waste your time

jpl888

ASJ112 wrote: »

don't waste your time

Is making the same post you made a few posts ago except for one line useful?

Personally I think the space on this page would've been better used referring to your earlier post. It's a "waster of time" to have to read through the same thing twice.

ASJ112

It's a "waster of time" to have to read through the same thing twice.

Its a "waster of time" to have to reply to your posts over and over. The user has already run MBAM and it hasn't worked, it makes no difference running mbam in safe mode or in normal mode, and that comes from the developer himself before you argue it.

As for MSE, chances are the user already has an anti-virus installed. Installing an AV on an infected machine can cause a load of problems, and likewise installing an AV on a machine that already has one is a terrible idea, now when you combine both these situations, the advice is not very helpful.


On the other hand, you don't even give the user a link to MSE or what to do with it. Your post was hardly helpful now was it. This is one way of how users get tricked into downloading rogue programs.


The user can go and follow your advice if he wants, but if MBAM has already failed then no AS or AV scanner will succeed. So he will have wasted his time. I've been helping here a long time, and to any of the users who actually follow my advice completely, they always get the malware removed in the end.

jpl888

ASJ112 wrote: »

Its a "waster of time" to have to reply to your posts over and over. The user has already run MBAM and it hasn't worked, it makes no difference running mbam in safe mode or in normal mode, and that comes from the developer himself before you argue it.

How about you give a link to prove that point? To my mind if you are in safe mode less will be running (including potential spyware/virus) which could stop the anti-malware from doing it's job.

ASJ112 wrote: »

As for MSE, chances are the user already has an anti-virus installed. Installing an AV on an infected machine can cause a load of problems, and likewise installing an AV on a machine that already has one is a terrible idea, now when you combine both these situations, the advice is not very helpful.

I've never seen installing AV cause an infected machine to get worse beyond getting a bit slower. Again proof of point needed. I'll agree removing existing AV would be a good idea, not necessarily fatal to have 2 on there though, again just likely to slow things down more. "Terrible" is a bit strong.

ASJ112 wrote: »

On the other hand, you don't even give the user a link to MSE or what to do with it. Your post was hardly helpful now was it. This is one way of how users get tricked into downloading rogue programs.

Maybe we have different ideas of what users are capable of. To my mind firing up Google and typing "Microsoft Security Essentials" or even "security essentials" will bring it up. I don't know of many people that can't Google. Assuming people are completely computer illiterate is making things hard for everyone. I try to gauge competency and tailor responses accordingly. Yes, putting links directly into threads is another way of tricking people, neither way is totally verifiable.

ASJ112 wrote: »

The user can go and follow your advice if he wants, but if MBAM has already failed then no AS or AV scanner will succeed. So he will have wasted his time. I've been helping here a long time, and to any of the users who actually follow my advice completely, they always get the malware removed in the end.

I don't honestly know how you can say that? You have checked every AS/AV scanner out there have you? MSE is supposed to be anti-malware/spyware/virus. Again lots of unverifiable posits.

Lets look at stats, you have approx 200 posts I have 250 but I have been thanked twice as much and I haven't asked anyone. Maybe it's just because I'm nice huh?

I'm not claiming to be king of anti-malware/spyware or anything and I'm not claiming that your post won't work, I'm just open minded enough to realise there is more than one way to achieve most things on a computer.

I certainly don't dismiss others offering help by saying what they are suggesting is "a waste of time".

ASJ112

This will be last response to you here as we are hijacking a users topic, but I will address some of your points

How about you give a link to prove that point?

http://forums.malwarebytes.org/index.php?showtopic=5421

Rubber Ducky is the creator of MBAM if you are not aware. The way mbam does deletions means that it doesn't matter if its in safe mode.

I've never seen installing AV cause an infected machine to get worse beyond getting a bit slower.

http://www.computing.net/answers/windows-7/asrock-win7-booting-problems-after-av-install/1938.html
http://www.bit-tech.net/news/2008/11/12/avgi-bug-leaves-windows-unbootable/1
http://www.computing.net/answers/windows-xp/avg-antivirus-makes-xp-unbootable/124280.html
http://en.kioskea.net/forum/affich-91887-installed-avast-did-boot-scan-cant-log-on
http://www.bleepingcomputer.com/forums/topic342015.html
http://www.spywareinfoforum.com/index.php?/topic/129741-bamital-trojan/
https://hitmanpro.wordpress.com/2010/08/19/bamital-trojan-infects-winlogon-exe-and-explorer-exe/

I could find plenty more if I was bored and didn't mind wasting my time. The reason why you should do a manual removal is because malware patches windows files a lot of the time, and as you can see above concerning bamital ( which is doing the rounds at the moment ), AVs are deleting the windows files making the PC unbootable.

Maybe we have different ideas of what users are capable of. To my mind firing up Google and typing "Microsoft Security Essentials" or even "security essentials" will bring it up.

Am not sure googling "Security essentials" would be too wise, it being a rogue anti-spyware program that infects your PC

http://www.geekstogo.com/forum/topic/269049-removal-instructions-for-security-essentials-2010/

The simple fact is, a lot of users do get infected this way, the rogues are just too convincing these days. You can also find ones impersonating Avira, calling themselves Antivirus 2010 and Antivir Solution Pro, or pretending to be nortons symantec aka "Sysinternals Antivirus". There have been some pretending to be MBAM.

Lets look at stats, you have approx 200 posts I have 250 but I have been thanked twice as much and I haven't asked anyone. Maybe it's just because I'm nice huh?

Actually I've had an account here since 2007 which has 2000 posts, majority of them being in the malware forum since I don't post anywhere else. I have no idea how many "thanks" I have nor do I care. Maybe you are nicer than me too, but I'm here to remove malware from users machines, not to be their friends.


Your way may work ( doubtful ), but its a dangerous way. Mine on the other hand will work and is not dangerous. This user is all yours though, good luck

bhickey

ASJ112 wrote: »

...... if MBAM has already failed then no AS or AV scanner will succeed.

It might be worth trying one of the bootable Antivirus CD's from Avira or Bitdefender. Maybe they'd help remove some of the stains that other antivirus softwares leave behind?

Isotonic

thanks for that lads. I just use computer for trading, internet and playing poker so restored the factory settings which removed the problem. thanks again

jpl888

Isotonic wrote: »

thanks for that lads. I just use computer for trading, internet and playing poker so restored the factory settings which removed the problem. thanks again

Right well I've found a lot of those poker sites cause problems. Whatever clients they use are sending out all sorts of traffic. Maybe it's just the same kind of user likes porn and gets infected that way.

Anywho install something like Comodo Time Machine and at least you will be able to go back to an earlier time on your computer if you get infected again. Don't forget to synchronize any data directories so you don't lose improtant stuff.

jpl888

ASJ112 wrote: »

This will be last response to you here as we are hijacking a users topic, but I will address some of your points


http://forums.malwarebytes.org/index.php?showtopic=5421

Rubber Ducky is the creator of MBAM if you are not aware. The way mbam does deletions means that it doesn't matter if its in safe mode.

It may not matter to Malwarebytes but it matters to the spyware/malware. A lot of it will not run properly in safe mode. If the malware is trying to stop itself from being removed by other subversive techniques interfering with whatever scanner is being used. If the spyware isn't started it won't be able to stop it's removal. QED.

ASJ112 wrote: »

http://www.computing.net/answers/windows-7/asrock-win7-booting-problems-after-av-install/1938.html
http://www.bit-tech.net/news/2008/11/12/avgi-bug-leaves-windows-unbootable/1
http://www.computing.net/answers/windows-xp/avg-antivirus-makes-xp-unbootable/124280.html
http://en.kioskea.net/forum/affich-91887-installed-avast-did-boot-scan-cant-log-on
http://www.bleepingcomputer.com/forums/topic342015.html
http://www.spywareinfoforum.com/index.php?/topic/129741-bamital-trojan/
https://hitmanpro.wordpress.com/2010/08/19/bamital-trojan-infects-winlogon-exe-and-explorer-exe/

I could find plenty more if I was bored and didn't mind wasting my time. The reason why you should do a manual removal is because malware patches windows files a lot of the time, and as you can see above concerning bamital ( which is doing the rounds at the moment ), AVs are deleting the windows files making the PC unbootable.

"malware patches windows files" is exactly the reason that the only way to be 100% sure you are clean is to reinstall. I also mentioned that earlier in the thread. I don't know why you hold so much stock in Combofix or any other Anti-whatever.

If the PC is made unbootable, stick the CD in run at least a repair reinstall and you are back up in less time than it takes a full AV/whatever scan to run.

ASJ112 wrote: »

Am not sure googling "Security essentials" would be too wise, it being a rogue anti-spyware program that infects your PC

http://www.geekstogo.com/forum/topic/269049-removal-instructions-for-security-essentials-2010/

The simple fact is, a lot of users do get infected this way, the rogues are just too convincing these days. You can also find ones impersonating Avira, calling themselves Antivirus 2010 and Antivir Solution Pro, or pretending to be nortons symantec aka "Sysinternals Antivirus". There have been some pretending to be MBAM.

Here is what happens when I Google Security Essentials, no malware or references to until you get to bleeping computer 6 results down which is advising on removal, see attachment:-

Fiddling a link on boards.ie (or any other forum) would be a lot easier than rigging Google's search results ergo Google is the safer bet in my opinion. Although I am sure malware has been able to get faily high up the rankings, it's the lesser of 2 weavels.

ASJ112 wrote: »

Actually I've had an account here since 2007 which has 2000 posts, majority of them being in the malware forum since I don't post anywhere else. I have no idea how many "thanks" I have nor do I care. Maybe you are nicer than me too, but I'm here to remove malware from users machines, not to be their friends.

I don't know why you would need to change accounts, perhaps you could elaborate? I won't be upset if you don't tell my why.

All I will say is that the first 2 responses you made seemed to me to be fairly abrupt. I would have not felt emoted enough to call you to question had this not been the case. There are nicer ways of alluding to or saying the same things, you don't have to insult or be dismissive to get your point across.

ASJ112 wrote: »

Your way may work ( doubtful ), but its a dangerous way. Mine on the other hand will work and is not dangerous. This user is all yours though, good luck

Perhaps you could also tell me why your way is not dangerous? As I've already said several times it doesn't matter what removal program you run you can never be totally sure you computer is clean. A really good virus/malware will never make it's present felt and will happily sit in the background collecting card/password/sensitive written information ad infinitum.

If there are no visible symptoms how will any user send sample files to "insert you AV/malware company here" for analysis, just exactly how will it be discovered? I'm sorry I just find your view naive and closed minded.

u140acro3xs7dm

jpl888 wrote: »

Lets look at stats, you have approx 200 posts I have 250 but I have been thanked twice as much and I haven't asked anyone. Maybe it's just because I'm nice huh?.

ASJ has been here for years with a very high success rate and i dont recall anybody following his instructions correctly and coming back with negative feedback. If they did they where in a huge minority. I presume he changed accounts when the site got hacked a few months ago, i believe he was formerly actor seeks job

jpl888

Aminah Blue Cube wrote: »

ASJ has been here for years with a very high success rate and i dont recall anybody following his instructions correctly and coming back with negative feedback. If they did they where in a huge minority. I presume he changed accounts when the site got hacked a few months ago, i believe he was formerly actor seeks job

There's quite a bit of conjecture in there so you'll excuse me if I take it with a pinch of salt.

After a bit of sleep I have also taken the time to go through the second set of links he provided in relation to 2 lots of AV causing serious problems. As far as I can see not one of those links pertains to that. They all relate to problems with one AV product at a time. I am sure people have issues installing other types of products too. It's also probably not a good idea to be complaining a lot when AV deletes a system file. I'd rather have that situation than AV that tries and fails miserably to disinfect a system file, lulling into a false sense of security.

I did some calcs on thank you rates:-

Actor Seeks Job - 5.6%
ASJ112 - 7.9%
JPL888 - 13.7%

I was being sarcastic when I said "maybe I'm just nice" or words to that effect. I am also not here to make friends but I can also be civil and considerate. If the proof of the pudding is in the eating then I am by that measure, at the moment, better at sorting out problems than either of ASJ's incarnations and I certainly have a deeper vein of knowledge than just anti-whatever. I certainly wouldn't have people jumping to my defence which proves the "friends" point.

Anti-whatever is a dodgy band-aid on the bad design and implementation that is Windows.

The only true way to be safe is to use a snap-shot tool like Comodo Time Machine, reinstall or don't use Windows at all. End of.

u140acro3xs7dm

jpl888 wrote: »

I did some calcs on thank you rates:-

Actor Seeks Job - 5.6%
ASJ112 - 7.9%
JPL888 - 13.7%

Just because you have a higher "Thank You" percentage does not mean you know more than everybody else. I have a higher percentage than you, So does this mean I know more than you?

Personally I have been helped out many times on here by different people but I rarely hit the thank you button. Some people help out just to be nice and don't want anything in return and some are just looking for praise for the "efforts". Its like people that have 600 friends on facebook, it doesn't mean there are cooler than someone that has a fraction of that. They just want to look cooler.

jpl888

Aminah Blue Cube wrote: »

Just because you have a higher "Thank You" percentage does not mean you know more than everybody else. I have a higher percentage than you, So does this mean I know more than you?

No you're right but then how else are we supposed to tell. It's not perfect but it's as good a way as any without putting an awful lot of effort in.

And .whatever of a percent is negligible after 100 posts. The thing that says I know more than *a lot* of people is I have been working in the industry nearly 15 years looking after businesses running Windows/Netware/Linux, etc, etc. But you will have to take my word on that.

Aminah Blue Cube wrote: »

Personally I have been helped out many times on here by different people but I rarely hit the thank you button. Some people help out just to be nice and don't want anything in return and some are just looking for praise for the "efforts". Its like people that have 600 friends on facebook, it doesn't mean there are cooler than someone that has a fraction of that. They just want to look cooler.

I agree but I also pointed out earlier that I haven't be soliciting thank you's, so I think it is a fairly genuine reflection of ability. I am assuming that neither of ye have been soliciting either.

Looking for friends I am not, did I mention that earlier?

I think the boards also count "thanks" written in posts? Which would be a lot more natural.

jpl888

Ahhhhhhh ASJ has thanked you for sticking up for him.

In that case your rate definitely isn't representative LOL

Peter03

I got this problem on my computer except it won't even let me run any files or programs at all. Can't even open Chrome to try and DL a fix. Any help would be great.

Cheers.

aidan_walsh

I am not going to tolerate any further clash of egos in this board. It's not about who you are, it's about helping people get muck off their systems.

I simply do not care who you are. If you deviate from this you will be taking a week's holiday from the forum for a first offense, and an additional week for any repeat.

bhickey

Peter03 wrote: »

I got this problem on my computer except it won't even let me run any files or programs at all. Can't even open Chrome to try and DL a fix. Any help would be great.

If you can't download anything, even in safe mode, then you'll have to download everything onto another computer and transfer it over on a USB key or whatever else you have available.

Sean Quagmire

Lads from what I can gather antimalware bytes is the best thing to use to remove it but my this virus has blocked out my internet!

I can download it onto my laptop but how could I transfer it to my PC? By usb?

Also if i need to re-boot the PC in order remove the virus, does it also remove my software, photos etc too?

bhickey

Sean Quagmire wrote: »

I can download it onto my laptop but how could I transfer it to my PC? By usb?

Yes that'd work fine.

Also if i need to re-boot the PC in order remove the virus, does it also remove my software, photos etc too?

No, it'll only target bad things.

RandolphEsq

I have this pesky malware on my PC. Could anyone tell me if I just delete the user account where the antimalware doctor is rampant, will that be enough to sort the problem out? It isn't active in the other accounts

bhickey

RandolphEsq wrote: »

....if I just delete the user account where the antimalware doctor is rampant, will that be enough to sort the problem out?

Probably not. You should really try and remove the malware.

Piste

Did any of the techniques recommended earleir in the thread work? I downloaded Microsoft Security Essentials which didn't even detect it. Then I downloaed Malwarebytes which detected and removed it or so I thought until I restarted my laptop and lo and behold, Antivirusdoctor was still there. Very Bad Buzz. It's been recommended to me to just reformat my entire laptop, but that would require backing everything up and I don't have a harddrive big enough to do it all. Besides it would take forever. Is there any way of getting it off my computer and knowing it's gone for good?

Also, I know it's trying to con me into thinking it's genuine so I'll buy it, but is there anything more sinister to it? I've been told my laptop could now be part of a botnet, is this true?

IvySlayer

Piste wrote: »

Did any of the techniques recommended earleir in the thread work? I downloaded Microsoft Security Essentials which didn't even detect it. Then I downloaed Malwarebytes which detected and removed it or so I thought until I restarted my laptop and lo and behold, Antivirusdoctor was still there. Very Bad Buzz. It's been recommended to me to just reformat my entire laptop, but that would require backing everything up and I don't have a harddrive big enough to do it all. Besides it would take forever. Is there any way of getting it off my computer and knowing it's gone for good?

Also, I know it's trying to con me into thinking it's genuine so I'll buy it, but is there anything more sinister to it? I've been told my laptop could now be part of a botnet, is this true?

Did you do a System Restore? What antivirus do you have?

u140acro3xs7dm

Piste wrote: »

Did any of the techniques recommended earleir in the thread work? I downloaded Microsoft Security Essentials which didn't even detect it. Then I downloaed Malwarebytes which detected and removed it or so I thought until I restarted my laptop and lo and behold, Antivirusdoctor was still there. Very Bad Buzz. It's been recommended to me to just reformat my entire laptop, but that would require backing everything up and I don't have a harddrive big enough to do it all. Besides it would take forever. Is there any way of getting it off my computer and knowing it's gone for good?

Also, I know it's trying to con me into thinking it's genuine so I'll buy it, but is there anything more sinister to it? I've been told my laptop could now be part of a botnet, is this true?

I would follow asj's recommendation to run DDS then post the logs here

bhickey

Piste wrote: »

..... Antivirusdoctor was still there.

Could you post exactly what is that you're seeing (a screenshot even?)?

Also, as ET_phone_home says. please download and run DDS (as per the instructions here) and attach the results.

It could be that you have something in your startup items that's loading something that looks like Antivirusdoctor but is not actually in itself mailcious. Anyway the files generated by DDS would tell a lot.

ronkmonster

Clear your system restore points too. Some stuff could be backed up in there.

dpmurray

Hi,

i've removed this from a few machines already - i used this website http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor

if you can't get a browser working on your machine - use another to download the required files and follow the instructions exactly. Just running malwarebytes will not remove this crap - you have to disable the actual malware program first!

Hope this helps

bhickey

As far as I can remember, an up-to-date Malwarebytes will remove this in Safe Mode. Also use 'msconfig' to remove it from the startup processes while in Safe Mode.

Piste

I managed to get rid of it in the end by running this scanner: http://www.eset.com/online-scanner/run it picked it up and got rid of it, when i restarted it wasn't there, so happy days!

bhickey

Piste wrote: »

I managed to get rid of it in the end by running this scanner: http://www.eset.com/online-scanner/run it picked it up and got rid of it, when i restarted it wasn't there, so happy days!

Good stuff. So was it that you tried the other suggestions and they failed or did you just happen to sort it out yourself with the Eset online scanner? I'm just curious whether or not other methods might also have been effective.

Piste

Well after posting on this thread I posted on the general moaning/whinging thrad on Clearasil and Hormones and somebody there recommended I try ESET, it was before my post on this thread had any replies so I didn't have the chance to try out any of the other suggestions.

bhickey

Piste wrote: »

Well after posting on this thread I posted on the general moaning/whinging thrad on Clearasil and Hormones .....

Tsk tsk! As a moderator might say, please keep updates on the same issue to the same thread.